ArbiterSports database lifted/ransomed

[HLinNC]

I received a letter today from ArbiterSports dated 8/24/2020 indicating there had been a database breach and apparently they paid the ransom to have said data files deleted.  From responses I received today it appears they may have also sent e-mails out regarding this hack.

They are offering a year's free subscription to an Experian ID service in response.  Apparently the breach compromises user id, e-mail addresses, SSN's, and personal data but they did not mention CC #'s.

2020 truly sucks.
 
 

[Etref]

Anything on line is risky anymore and more and more we are going to online!

Really sucks sometimes

[bossman72]

I received a letter today from ArbiterSports dated 8/24/2020 indicating there had been a database breach and apparently they paid the ransom to have said data files deleted.  From responses I received today it appears they may have also sent e-mails out regarding this hack.

They are offering a year's free subscription to an Experian ID service in response.  Apparently the breach compromises user id, e-mail addresses, SSN's, and personal data but they did not mention CC #'s.

2020 truly sucks.
 
 

Most of us have our bank accounts linked to there too, so don't be surprised.
Arbiter has always had cut-rate IT security and it finally caught up with them.  They even used to store their passwords in plain text until a few years back.

[ETXZebra]

Weren't they also hacked a few years ago?

[ncwingman]

They are offering a year's free subscription to an Experian ID service in response.  Apparently the breach compromises user id, e-mail addresses, SSN's, and personal data but they did not mention CC #'s.

Just FYI, a year of credit monitoring is useless. Frank Abagnale (from Catch Me If You Can) has a good take on these sorts of breaches and on what to do in response.

The short answer is that nobody is going to use this information right now, so that that one year free monitoring isn't going to be effective -- but you will be billed automatically after a year and you've forgotten about it.

[HLinNC]

Yeah I know.  It's a CYA move for when they have to go to court. "See, SEE,  your Honor we gave 'em a years free credit security.  What more would you have us do?"
 
I figure a year from now I'll spend my free time deleting "Renew your subscription now" e-mails from Experian.  I should have just made up a new gmail address to handle it.

[dammitbobby]

Got my letter today.  Interestingly, (in light of someone else commenting passwords being stored in plaintext) the letter states the miscreants were able to decrypt information in a backup file... which means it was 'roll their own' crypto (weak encryption keys) or they just stored the keys in the same place as the file. 

They said they received confirmation that that the backup file was deleted... uh huh.  sure.  I bet they pinky promised too.

[bossman72]

Got my letter today.  Interestingly, (in light of someone else commenting passwords being stored in plaintext) the letter states the miscreants were able to decrypt information in a backup file... which means it was 'roll their own' crypto (weak encryption keys) or they just stored the keys in the same place as the file. 

They said they received confirmation that that the backup file was deleted... uh huh.  sure.  I bet they pinky promised too.

It's interesting because usually a ransomware attack encrypts all of your data and you don't get the decryption key back unless you pay, since it paralyzes your business.  This situation is odd, so either one of two things happened:
1) It happened the way they described - the hackers got access to the file and pinky-swear deleted the backup file when they paid.
2) The hackers bluffed and didn't actually hack anything and got them to pay.  "Hey we hacked your database, but we'll delete it if you pays us!"

I'm hoping it's the latter.

[Official_21]

Some of the schools that our football officiating chapter services uses aribter pay as their method of payment.

I wonder if our officiating chapter is aware and Wonder if these schools have received notice as well and have made other plans to pay their officials?

At this point, with what has come to light in this post, would not want to use aribter pay.

[eprov]

Our state association MIAA (Mass) pays all the tournament officials in all sports by arbiter. if officials want to be assigned a tournament game have to be on the Arbiter. They got a letter too. 

[HLinNC]

I wonder if our officiating chapter is aware and Wonder if these schools have received notice as well and have made other plans to pay their officials?

I texted our local AD.  He hadn't heard a thing about it.  They still issue a check and pay on-site.

Our RSO is apparently dealing with a hack of his PC.  Not sure if its related.  He got an e-mail from Arbiter.

I would imagine a/some lawsuits down the road if financial info is involved in the breach.  They don't mention it in their letter but at this point, I'm not giving Arbiter a whole lot of credit for credibility.  A years subscription to Experian will not remotely cover damages if banking info got out.

Does the NCAA still own or own a piece of them?

[dammitbobby]

No idea who owns them, but I guarantee you there will not be any (successful) lawsuits over this.  The prime argument they will give, is that because breaches are so common today, your information was already exposed, therefore you can't suffer a loss due to their negligence.

Until stronger information security laws come about, nothing will change.  I am an infosec consultant, and I assure you, that is a slippery slope that most legislators won't go down.

[Getting Fat]

No idea who owns them, but I guarantee you there will not be any (successful) lawsuits over this.  The prime argument they will give, is that because breaches are so common today, your information was already exposed, therefore you can't suffer a loss due to their negligence.

Until stronger information security laws come about, nothing will change.  I am an infosec consultant, and I assure you, that is a slippery slope that most legislators won't go down.

strange, I'm under a completely different impression.  Texas law mirrors most states, see 521.052:

https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm

Basically, "reasonable procedures" will put them under a negligence standard.  Were they negligent in maintaining personal sensitive data?  I have no idea, an earlier post implied they were.

[dammitbobby]

Is arbiter based in Texas?

[ETXZebra]

I think Arbiter is based in Salt Lake City.

[Getting Fat]

they have nexus in TX, and are subject to Texas laws.  But, if you'd like the EXACT same Utah law, here ya go:

https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf

as I said, Texas law mirrors the law in almost every other state

[dammitbobby]

IANAL but as far as I can tell they met the requirement for timely notification.  As far as negligence, I am not aware of any (successful) lawsuit against an org for a data breach.  Texas or otherwise.  They may be out there but they will be the exception not the norm.

[dammitbobby]

So technically I wasn't wrong, since they settled instead of going to trial (no successful lawsuits over data breaches). I vaguely remember getting a letter/or email to join in the settlement.  Got a random check in the mail to today from the ArbiterSports Settlement Fund for $105.79. 

[HLinNC]

Well, maybe a little lunch money will come in the mail.  I still get an occasional e-mail from the web security firm they enlisted for us to use after the breach but I pay it no mind.